Tech Problem Aggregator

Bavariax trojan infection

Q: Bavariax trojan infection

I noticed on another post that I found by doing an internet search for "trojan downloader bavariax" that this virus has been around for quiet sometime. That post was from 2006. Well I could have copied and pasted it here, the circumstances of the infection that I am currently trying to kill are almost identical. Our office managers (my wife) computer is infected with the bavariax trojan as well as the Anti-Spyware 2010 or Anti-Virus 2010 nightmare. (I am sending this from my home computer). Yesterday she opened up an email attachment and thats were it began. The following is what was in the header (she printed it)From Raymond Reyna <archives>[email protected]>To {my wifes email address)Subject UPS Tracking Number G5XPARZAttachements 2 UPSNR_e92fa218.zip [application/zip] 28 kbAnd the message contents is as follows-Hello! Unfortunately we failed to deliver postal package you have sent on the 10th of July in timebecause the adressee's address is not correct.Please print out the invoice copy attached and collect the package at our office.Your United Parcel Service of AmericaWell as I said she followed the instructions and right away got a warning saying her computer was infected with spyware and a screen indicating that windows was downloading the latest greatest anti spyware. It put an icon on the task bar that will not close and shows up in the program list with an uninstall that will not "uninstall". Thats were I come in.This computer is running windows XP home addition (came with the computer and she needs very little networking) with the latest updates, I downloaded and installed what was available first thing upon starting the computer. This computer also was Norton Anti-Virus (although the subscritption is expired) but it seems to have been renedered useless as well.On my direction she shut everything down (not on my direction she deleted the email prior to calling me, though it may be in her trash file if thats of any help).I restarted the computer and found just what she had described. I had someone that was on an off site computer google "antispyware 2010 virus" and email any links that he found helpful. In the mean time I tried to run the following (followed by the result)-Hijack this (in normal mode) would not start (in safe mode) would not start even using "Run as : Administrator" wouldn't even show up on the task listcombo fix " " " " " "Windows Defender- " " " " " " Windows live on-line scanner (either mode) came back with an error on the page and would not initiateSpybot search and destroy (either mode same as above)now here is where the questions really start-The first link my friend sent me was- "Antivirus Guys- Professional Advice" the recommended solution there was 2-part, 1st down load and run "Combo Fix". Which I am familiar with. The site says "It's best to run it in safe mode but it will work either case".....not so as I noted above" The 2nd part of the solution was to download a second tool (with the link) "Windows registry repair" claiming that the virus will leave a "ton" of registry entrys behind.The link takes you to a site called "Registry Easy" (wasn't famailiar with it, didn't download anything).The second link my friend sent me led me to a site that advertised a "Anti Spyware 2010" removal tool,( I am getting to these links from a different computer in our office, this computer is running windows vista basic) I downloaded the "Tools" and saved them in the "public documents" file. Then I went to the infected computer (while running in safe mode with network support) and copied and pasted them to the shared document file of the infected computer.As I said before I attempted to run combo fix and it did not even register on the task list.The second "tool" turned out to be "Spyware Doctor", it installed in safe mode (which none of the others would do), and also performed a scan......which took about three hours and thirty minutes. It identified the "Antivirus 2010" issue as well as quiet a few others but would not correct them without.....You guessed it, paying for a fully registered version. Which I have not done. I thought it was little strange that it was the only utility that would run, while others that I am familiar with would not.When I tried to run the other utilities in normal mode I either didn't get any response at all or was given a message indicating that the network administrator had set rules that would not allow the procedure. Then if I tried to run it as administrator I would either get no response or some other error indicating that it failed to start. In safe mode when I tried the "run as administrator" it would come back with "this process can't be started safe mode"Well that's about it.....other than the process can't be stopped in task manager. I killed everything but the ones that windows protected. But i did keep getting multiple occurences of the waudt.exe file on the task list, both with system and a user under "users name".There are slso some strange file names that have popped up that when googled come back with no matches. I don't have those with right now but I can provide them in another post.Sorry for the length of this thing but I wanted to get everything to you while it was still fresh. Of all of the computers in our office this one has the most critical data(i.e- accounting, payroll time keeping, etc) so I would greatly appreciate any help I can get. I don't have any problem doing a fresh reformat and reinstall but I want to make certain that I take steps to NOT worsen the situation. The Bavariax trojan issue......I have found files named Bavariax.exe on the computer. Didn't know it was an issue until I did a google on "Anti spyware 2010" and it was noted as by product (a dangerous one) on another site. After which I started this topic.

More replies
Answer Match 56.7%

I can not get online at all. I had the bavariax.exe according to AVG. The virus seems to be removed?? but I can't get online. Should I just restore my computer?Here is my hijack log:ogfile of Trend Micro HijackThis v2.0.2Scan saved at 5:36:12 PM, on 7/12/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\sySTEM32\SvchoSt.ExEC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgam.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROG... Read more

A:Bavariax/PP10

Hello bigworm,Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.Thanks,tea

2 more replies
Answer Match 53.34%

Hello all,

My laptop was hit with a multiple virus infection while using Firefox.
Symantec seemed to have taken care of things at the time but I was still having some problems, and it didn't seem to be able to get rid of TDSS. I disabled system restore and tried to clean the registry manually, but wasn't able to find all the entries listed on the Symantec site. I disabled the TDSS driver via the control panel.
MBAM wouldn't install, so I tried Spybot which found a few other issues. Finally I was able to install MBAM and HJT from a disc, and connected back to the internet again briefly to update both.
I ran CCCleaner then MBAM in safe mode and MBAM seems to have cleaned everything (both MBAM and HJT scans looked ok afterwards, though there are still a few entries in the HJT log that look suspicious to me).
Everything seems to be fine now, and I proceeded to uninstall the old Java updates, got all the latest Windows updates, and then turned system restore on again.
I'm basically looking for some advice on what to do to make sure everything is in fact gone as there are those few HJT entries that look suspicious to me.
Thanks in advance!
DDS (Version 1.1.0) - NTFSx86
Run by mo at 16:50:17.96 on Tue 01/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2532 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ====... Read more

A:Multiple Virus Infection: Trojan.Vundo, Trojan.VundoH, Trojan.BHO, Trojan.TDSS, Trojan.Agent, Trojan.Downloader, Malware.Trace...

My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again. This seems like a tech issue and not a malware problem, but lets take a look and see what we find.Sorry for the delay, please do the following...ComboFix Please ownload ComboFix from Here or Here* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License A... Read more

12 more replies
Answer Match 45.78%

Lately my computer has been exceptionally slow. Blue screens a time or two. Ive recognized a few other suspicious things such as 'Service Distribution Software 3.0' trying to install at 3 am for the past 2 weeks. I also looked at my ReportingEvents.log and noticed that even though Microsoft updates were downloading successfully they were not installing since 6-10-2010 (i went ahead and attached a copy of that as well). Also, Firefox was acting really funny. Taking a huge amount of time to load. I also found that even if I shut Firefox down, it was always running. Even if I went to Task Manager to kill firefox.exe, it was very difficult to get it to finally stop running.I even saw a post here saying: ------------------------------------------------------------------------QUOTELets check your HOSTS file.It's located at c:\windows\system32\drivers\etc\hosts.You can open it up in Notepad.If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;however, if there are others following 127.0.0.1 localhost, you may have to fix it.Lets check your HOSTS file.It's located at c:\windows\system32\drivers\etc\hosts.You can open it up in Notepad.If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;however, if there are others following 127.0.0.1 local... Read more

A:Trojan horse Vundo.JW - Trojan.Mebroot. Mebroot/Sinowal Infection, Trojan.Tracur, Trojan.TDSS or what?

Hi deetheis,Welcome to Bleeping Computer!My name is mpascal, and I will be helping you fix your problem.Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.Please do not do anything or perform other steps unless I have asked you to do so.Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.If you are unsure of how to reply, or need help with anything regarding the website, please look here.STEP 1 - MBAMOpen Malwarebyte's Anti-Malware.Under the Updates tab, click Check for Updates. Let the updates install (if any).After that, under the Scanner tab, click Perform Quick Scan and then Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.Exit MBA... Read more

2 more replies
Answer Match 44.1%

Howdy,

Yesterday the little brother decided to look at smut, and promptly infected our computer with an annoying program called Malware Defense. Tried safe mode avast, didn't work, uninstalled that, did some reading. After running rkill and using a randomly-generated malwarebytes .exe file, Malware Defense seems to be dead and gone from the computer. It doesn't launch all crazy at start-up and I've yet to see a return in the past three hours after I dealt with it. However, the HJT file seems to list Malware Defense as my AV, which is unsettling and suspicous.

However, Malwarebytes has also detected two Trojan.FakeAlert files, items "\\?\globalroot\systemroot\System32\H8SRTinrimeodbm.dll" and "\\?\globalroot\systemroot\System32\H8SRTinrimeodbm.dll". While the files have the same name, Malwarebytes lists one as a "memory module" and the other as a "file". I click on remove in Malwarebytes, restart, scan again, the infections are back. I noticed this infection file showed up as 'hidden from windows api' during one of the scans I ran for this HJT, but I've no idea what to do about it.

After running rootkit, I also received an error stating "Error - on-disk corruption detected - run chkdsk!"

The Trojan.FakeAlert does not appear to be doing anything clearly visible. I've read that it is supposed to spam you with fake anti-virus but it's not doing so at the moment an... Read more

A:Trojan.FakeAlert Infection After Dealing with MalwareDefense Infection

Howdy, guys.

I know the list says not to bump, but the topic thread says it might take a few days and it's been a bit over a week, so I was wondering if this was left behind in a flurry of other topics or if I just put myself back in line another week.

Please let me know!

From reading the logs created by this website's programs and proccesses and looking at the corresponding file names in MalwareBytes, I think I see where the files are (all those H8SRTd things) but I have no idea how to make them actually show up so that I can get rid of them.

3 more replies
Answer Match 43.68%

Edit: Trojan Horse BHO.HJE infection post Trojan horse generic 12 infection (by post i mean after)Trojan Horse BHO.HJE infection AFTER Trojan horse generic 12 infectionI have resolved or am in the process of resolving this trojan horse generic 12 infection when AVG informed me that i now have trojan horse BHO.HJE. I ran a malwarebytes smart scan and nothing found. Here are the results of HJT scan:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:15:02 AM, on 2/9/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\DigitalPersona\Bin\DPWinLct.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\DigitalPersona\Bin\DpHost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Java\jre6\bin&... Read more

A:Trojan Horse BHO.HJE infection post Trojan horse generic 12 infection

Hi sharma10,Welcome to the BleepingComputer forums.We apologize for the delay in responding to your request for assistance. Every one of our team members is a volunteer and unfortunately, there are often just not enough to keep up with demand. Thank you so much for your patience.If your issue has been resolved or you have received help elsewhere, please post a reply here and let us know so that we can close this thread.If you still need assistance, my name is SpotCheckBilly (SCB for short) and I will be happy to help you.===Very Important===The instructions in this thread have been specifically designed for THIS USER'S MACHINE ONLY . You should not use these instructions to clean your machine. Doing so could cause irreparable damage to your machine. If you need assistance, please start your own thread.=================A few things which will make our fix go more smoothly.Please >> DO NOT<< run any scans/tools or other fixes unless I ask you to.Please DO NOT install any software while we are working.Please Do not skip any steps. With some infections skipping a step can be disastrous.If there is something you don't understand or or are unsure of -- please stop and take a moment to ask about it. If you are running P2P filesharing program(s). My recommendation is you uninstall it/them.Remove any cracked/pirated software. I will immediately stop helping you if I discover any.The most important thing to remember is to be patient. Very seldom can we remove the ... Read more

1 more replies
Answer Match 42.84%

I have started having problems with my new laptop(> 2 mos old). it has problems coming out of sleep mode, it shuts down unexpectedly, and i have also found browser history files for websites i have never gone to. i ran Spybot search and destroy and found no spyware files, but when i looked at my startup, i found a blank registry fire that S&D said was connected with multiple trojans and worms including agbot-ku worm, mkmoose-a worm, delf-ux trojan, sdbot worm, and the dadobra-iw trojan. so now i am here. i have ran a hijack this program and also dekards system scanner. here is the results. any halp would be great, thank you. Deckard's System Scanner v20071014.68Run by Tim on 2008-04-18 19:02:45Computer is in Normal Mode.---------------------------------------------------------------------------------- Last 5 Restore Point(s) --29: 2008-04-18 15:02:42 UTC - RP69 - Windows Update28: 2008-04-15 23:35:51 UTC - RP68 - Windows Update27: 2008-04-13 15:19:00 UTC - RP67 - Windows Update26: 2008-04-10 21:14:02 UTC - RP66 - Scheduled Checkpoint25: 2008-04-09 07:00:26 UTC - RP65 - Windows Update-- First Restore Point -- 1: 2008-03-12 18:59:05 UTC - RP38 - Device Driver Package Install: ATI Technogies Inc System devicesBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Tim.exe) -------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:05:14 PM, on 4/18/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Inte... Read more

A:Laptop Infection Dadobra-iw Trojan, Delf-ux Trojan, Agbogt Worm

Hello tpokoy , welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in the effort to clean up your computer.Please allow me some time to study your log and I will get back to you. In the meantime if you have ran any additional tools to try and do repairs or made any other changes to your computer since you first posted the DSS log, please let me know.I would also ask that you refrain from running any additional tools unless I ask you to while we are in the process of cleaning everything up. It is necessary that we as helpers know what is being done on the system and any time in order to best formulate a fix.Thank You ,thewall

10 more replies
Answer Match 42.84%

Help! My computer is infected! I ran Kaspersky full scan and it found the following, but is unable to get rid of them:virus HEUR:Trojan.Script.IframerTrojan program Exploit.JS.Pdfka.btaBelow is the hijack this log. It's also attached. Thanks!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:27:25 PM, on 3/29/2010Platform: Unknown Windows (WinNT 6.01.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:C:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\Acer\Acer ePower Management\ePowerTray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Apoint2K\Apoint.exeC:\Windows\PLFSetI.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\system32\igfxext.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exeC:\Program Files\uTorrent\uTorrent.exeC:\Windows\system3... Read more

A:Infection! Trojan.Script.Iframer, Trojan program Exploit.JS.Pdfka.bta

Help! My computer is infected! I ran Kaspersky full scan and it found the following, but is unable to get rid of it:Rootkit.win32.agent.bdkqBelow is the hijackthis log. Thanks!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:27:25 PM, on 3/29/2010Platform: Unknown Windows (WinNT 6.01.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:C:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\Acer\Acer ePower Management\ePowerTray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Apoint2K\Apoint.exeC:\Windows\PLFSetI.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\system32\igfxext.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exeC:\Program Files\uTorrent\uTorrent.exeC:\Windows\system32\conhost.exeC:\Program Files\TrendMicro\HiJackThi... Read more

18 more replies
Answer Match 42.42%

Quick background - My young teenage son clicked on pop-up for Duck Hunt. He told me after he clicked popup he got message that "something" was being installed but he couldn't stop it. And now I am infected with some kind of virus.

I ran full scan on my McAfee, rebooted when it told me to and ended with the log showing following infections on my computer:

DNSCharger.r (Trojan); Generic FakeAlert.k (Trojan); FakeAlert-SpywareGuard.gen.b (Trojan). Major location of them appear to be in c:\windowns\system32 - with different dll files. There is also message about unwanted program (log's words) SetupGamevance[1].exe in Temp Internet files\Content.IES
(I'm not sure if you need the actual path but if so I can enter them). I just can't seem to copy and paste the info or print the log out.

All are showing in the log as "cannot be removed" except for the Gamvance which shows as "cannot be repaired" and McAfee did not or cannot quarantine them.

I know that at least one of them is trying to redirect me on google search. This is what clued me in to what happened, when I was looking for a site and it tried to tell me it was at a different address from what I remembered. I'm not sure what the others will do.

Is there something I can do to get these off my computer? Can some one help me?

I am running Windows XP Home Edition Version 2002 Service Pack 3. I have an Emachine T3104. Not sure what other info I need to ent... Read more

A:Infection - DNSCharger.r (Trojan), Generic FakeAlert.k (Trojan) and SetupGameVance.exe

Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will... Read more

12 more replies
Answer Match 42.42%

I scanned my box with BitDefender 8 and it showed that I had about 14 infected files or so. It showed up as Trojan.Qrap.B and Genpark:Trojan.SillyDi50760 . I tried removing/healing the infected files with BitDefender but it didn't work . I tried every other free AV but to no avail . I tried Kasperskys online scanning but it too long .... and i had to give it up at some point . Heres the log from DSS : Deckard's System Scanner v20071014.68Run by Administrator on 2008-04-28 10:50:55Computer is in Normal Mode.--------------------------------------------------------------------------------Percentage of Memory in Use: 76% (more than 75%).Total Physical Memory: 126 MiB (512 MiB recommended).-- HijackThis (run as Administrator.exe) ---------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:50:59 AM, on 4/28/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:G:\WINDOWS\System32\smss.exeG:\WINDOWS\system32\csrss.exeG:\WINDOWS\system32\winlogon.exeG:\WINDOWS\system32\services.exeG:\WINDOWS\system32\lsass.exeG:\WINDOWS\system32\svchost.exeG:\WINDOWS\System32\svchost.exeG:\WINDOWS\System32\svchost.exeG:\WINDOWS\System32\svchost.exeG:\WINDOWS\system32\spoolsv.exeG:\WINDOWS\System32\alg.exeG:\WINDOWS\E... Read more

A:Trojan.qrap.b And Genpark:trojan.sillydi.50760 Infection

Hello pokemonDoomWelcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. You posted here for help with the same issue, the forums are so busy that we cannot afford to tie up two people helping one poster with the same problem, this is what you need to do, if you want to continue here thats fine but you need to let the other forum know your being helped here so they can close that thread, or vise versa.http://www.techsupportforum.com/security-c...di-50760-a.htmlIf you choose to continue here I need to see a complete Hijackthis log and also the Kaspersky log if you still have itDownload Trendmicros Hijackthis to your desktop.Double click it to installFollow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exeOpen HJT Scan and Save a Log File, it will open in Notepad Go to Format and make sure Wordwrap is UncheckedGo to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

2 more replies
Answer Match 42.42%

PTTD: Post Traumatic Trojan Disorder
Several weeks ago, I got attacked after something slipped past resident McAfee. No popups, but my computer was running very slow, click on files would not open, running processes showed numerous host dll, internet restarts, and the cursor was always thinking and moving on its own. I ran several full scans (NOT in safe mode). MBAM found Trojan.generic, SAS found Trojan.fakeMS and clicker.FMS, Beta MBAR found Trojan.poweliks, McAfee nothing. My computer seems to be OK now, but I still think something is lurking with the refresh of paging while on the internet.
 
Just a few of many concerns: 
setbj in startup programs (disabled a year ago due to other event); don’t know how to delete it or if I should.
R3 - URLSearchHook: (no name) - {D8278076-BC68-4484-9233-6E7F1628B56C} - (no file)
Regedit: Windows software entry with numbers and then data Houdsodu!Rdbtshux; not sure if I should delete the main entry.
Microsoft office14 (hijackthis log), which I don’t have.
 
I followed the prep guide before posting. I hope the page is not out of date (2005).
Backup of data
McAfee shows firewall enabled
 
My computer:
Microsoft Windows 7 Home Premium
Version 6.1.7601 Service Pack 1 Build 7601
LENOVO IdeaCentre K330B x64-based PC
Intel® Core™ i3-2120 CPU @ 3.30GHz, 3300 Mhz, 2 Core(s), 4 Logical Processor(s)
LENOVO DPKT21A, 8/8/2011
SMBIOS Version           ... Read more

A:PTTD after infection with Trojan.poweliks, Trojan.generic, fakeMS...

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Download the version of this tool for your operating system.Farbar Recovery Scan Tool (64 bit)Farbar Recovery Scan Tool (32 bit)and save it to a folder on your computer's Desktop.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.===Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.To attach a file select the "More Reply Option" and follow the instructions.Wait for further instructions.

17 more replies
Answer Match 42.42%

hi, I have a possible Rootkit Zero access virus that Malwarebytes is picking up as rootkit.0access It's also picking up a trojan.small and trojan.sifef . Malwarebytes hasn't been able to remove them after several scans, removals and reboots. Recently I have also experienced unwanted audio playing in the background on my computer.

I have run SpyBot and Malwarebytes. but the files remain after a reboot.

As requested in the preparation guide I have done the following:

CD Emulators disabled with DeFogger
DDS has been run and the .txt file is copied below Attach file is attached
Attempted to create a GMER Log but was unsuccessful. GMER ended in a stack dump on two occasions so I quit while I think I was ahead

Thanks in advance for your help on this! I work shifts, so I may not always get back immediately following your posts
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_27
Run by User at 20:48:59 on 2012-06-16
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3327.1760 [GMT -3:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012&... Read more

A:Possible rootkit.0access / trojan.small / trojan.sifef infection

download Farbar Recovery Scan Tool and save it to a flash drive.(you need the 32bit version)Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe and press Enter Note: Replace letter e ... Read more

28 more replies
Answer Match 42%

Hey ,

I've recently gotten a trojan.vundo / Trojan.agent (are they the same thing?) infection, but I've managed to remove all but four of the infected files through MBAM.

Here's the log for MBAM:

Malwarebytes' Anti-Malware 1.33
Database version: 1691
Windows 5.1.2600 Service Pack 2

1/25/2009 12:13:36 AM
mbam-log-2009-01-25 (00-13-36).txt

Scan type: Quick Scan
Objects scanned: 57803
Time elapsed: 10 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\xxyyxYQg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ssqRHbXq.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6b70589-057d-4dc5-a644-c4b5fbb1904d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a6b70589-057d-4dc5-a644-c4b5fbb1904d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqrhbxq (Trojan.Vundo) -> Delete on reboot.
HKEY_L... Read more

A:Recent Trojan.Vundo/Trojan.Agent Infection

Hi My name is Extremeboy (or EB for short), and I will be helping you with your log.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.If you do not make a reply in 5 days, we will need to close your topic.You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Even if things appear to be better, it might not mean we... Read more

25 more replies
Answer Match 42%

Hi,

I've searched around a little, but couldn't find anything similar. I have a problem with a trojan infection that won't go away. The pop-up says "trojan-clicker.win32.tiny.h", "trojan-spy.html.bankfraud.dq" and some other things. I've searched around, and it seems not to be dangerous, but it's annoying as hell. I've tried Ad-Aware, Spy-Bot, AVG and Mal-Ware, and it detects it, removes some of it, but it returns after next reboot.

Can you please help me delete it?

This is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:44, on 19.10.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Progra... Read more

More replies
Answer Match 42%

Hi,

Any help would be greatly appreciated. I used a friends external hardrive which was infected and now my pc is infected as well as my flashdrive. In more detail this is what is said in AVG Anti-Spyware report :

C:\copy.exe - Infected with : Trojan.Copyself
C:\host.exe - Infected with : Dropper.Small.apl
The same applies to a host of other files....

Then another folder is infected with Trojan.Copier and another one that came up is Backdoor.Small.apl

Here is the HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 12:31:11 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Acer\Empowering Technology\eP... Read more

More replies
Answer Match 42%

I am working on a Win XP SP3 Laptop and have had fake anti-virus infections over the last few months. MalwareBytes has helped me remove them by running in safe mode.After working for awhile, I will start to get repeated "Internet Explorer Cannot Display the Webpage" errors (using IE8). I have tried SuperAntiSpyware, MalwareBytes, SpyBot, and Ad-Aware.Even if they remove something, the problem returns. Ad-aware recently removed Trojan.1 and Trojan.Win32.Generic!BT. I think GMER removed a rootkit, but it closed before I could save the log and I reran it to produce this one.Thank you.Here are my DDS and GMER logs (attach.txt is attached)DDS.txt:DDS (Ver_10-03-17.01) - NTFSx86 Run by Peter at 22:39:38.31 on Fri 07/30/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.153 [GMT -5:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEsvchost.exeC:\Prog... Read more

A:Repeat Infection - Trojan.1 and Trojan.Win32.Generic!BT

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until ... Read more

12 more replies
Answer Match 42%

Hi,

Yesterday I got virus warnings from AVG and Windows Defender. After running them, and Malwarebytes Anti-Malware, and ComboFix, I think I have cleaned them off. But I want to make sure. I would greatly appreciate any help and will make a donation if we can make sure I'm all clean.

The initial warning was for Trojan.Fakealert. Since then I have had detections of:
Trojan.Fakealert
Trojan.Agent
Trojan.Hanam
Adware.Minibug
Malware.Trace
Trojan.SHeur2.ANWV

Yesterday with repeated Malwarebytes scans in safe mode, and with ComboFix, I was able to get the system responsive again. Since then I have had detections of a trojan in a System Restore point (which I deleted) and in the Recycler (which I emptied).

Once again, some help reviewing logs to make sure I cleaned it off would be most appreciated!! My DDS logs are attached. I will check back frequently and provide any other info if needed.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Steven at 17:36:04.03 on Wed 07/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1008 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\s... Read more

A:Trojan.Fakealert and Trojan.Agent infection, hopefully almost cleaned

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Answer Match 42%

Hi guys

This is my first post so let me know if I miss anything out.

For the past few days, I have had a major virus and trojan infection on my laptop and have no idea how to get rid of it. First I used Norton 360 and it said the trojan was removed but I was still having the same problems as before. I then downloaded spy sweeper and it found the following viruses and malware on my PC:

Trojan Horse found: trojan-agent-tdss
Virus found: Mal/FakeAV-AX
Virus found: Mal/Behav-170
Virus found: Mal/Generic-A
Virus found: Mal/Behav-035
Virus found: Mal/Refpron-B
Virus found: Mal/HckPk-A
Trojan Horse found: trojan-pushu
Trojan Horse found: trojan-downloader-popwin
Virus found: W32/Scribble-B
Virus found: Mal/Scribble-D
Virus found: Mal/AutoInf-A

It quarantineed the files and deleted them, but the problems persist.

The problems are as follows:
internet explorer home page hijacked and the program keeps crashing
google hijacked so that search items will go to random sites about shopping etc.
It will not allow programs such as norton 360 to update and msn messenger can no longer connect to the internet
Anytime I try to go on a website about virus removal software it says the server cannot be found.

My laptop is a Toshiba Equium running on Windows Vista home premium Service Pack 2

Thanks in advance for your assistance
 

More replies
Answer Match 42%

I had a major issue with a trojan spy earlier today and now about 5 hours after it first began I would have to say that I manually removed almost all the infection from my system. I just have to run another virus scan when I manage to get a anti virus app installed again. It disabled my other app then I had to install another anti virus application, then it disabled that one too. I was in the process of trying to remove malicious software and everytime i tried to delete one of them it shut my comp off. So I had to go the long way about it.....its a lot better now than what is was before this happened. But still is a little slow besides I have disable startup items in msconfig. When I try to reenable them, my comp is still slow but not really bad. To finish what i started i ran a scan after i downloaded hijack this. I have heard of it before but have never used it. Anyway here is my log from hijack this. Can you help me I'm not sure about this log file.Logfile of HijackThis v1.99.1Scan saved at 11:08:51 PM, on 1/7/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\WINDOWS\sys... Read more

A:Trojan Infection And Malware Infection

Hello Jenna, A tip of the hat to noahdfear for this fix. Print out these instructions as we will need to shutdown every window that is open later in the fix.Download SmitRem and save the file to your desktop. Double click on smitRem.exe and then click on Start. When it is done, click on the OK button. You should now have a folder called smitRem on your desktop.Next, please reboot your computer in SafeMode by doing the following:Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, press F8.Instead of Windows loading as normal, a menu should appearSelect the first option, to run Windows in Safe Mode.When your computer has started in safe mode and you see the desktop, close all open Windows.Open the smitRem folder on your desktop and double click the RunThis.bat file to start the tool.Follow the prompts on screen and wait for the tool to complete and disk cleanup to finish.When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned.Reboot your computer back to normal mode.Click on the Start button, then click on All Programs (or Programs), and then locate the SpywareStrike folder and right-click on it. Select the option to delete that folder. C:\DOCUME~1\Jay\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\... Read more

2 more replies
Answer Match 41.16%

Hi, I'm new to this site, but it looked like good advice was given to others with the same problem I'm having. My computer is infected with Trojan.Vundo.H and Trojan.Agent Virus. Here is a list of the anti-virus programs that I ran:
Norton Anti-Virus
Ad-Aware
Threat Fire
F Secure
Bitdefender
Eset
Malwarebytes
SuperAntispyware

Malwarebytes & SuperAntispyware detected more infected files but they reappear after rebooting. I also keep getting the pop-up that Norton has removed Trojan.Adclicker after every reboot.

Here is my Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:17 PM, on 10/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WI... Read more

A:Trojan.Vundo.H & Trojan.Agent Infection

Since I've posted the thread. I downloaded Zone Alarm in hopes that would help against further infection. I also downloaded Comobfix, but I didn't do anything with it since it's advised not to do anything without supervision. I get a warranty disclaimer error message when it tries to open. I'm using Windows XP/SP2. I'm just hoping I don't have a backdoor Trojan. Does anyone out there think they'll be able to help?
 

1 more replies
Answer Match 41.16%

Hi,I am running xp pro with CA anti virus, a d link router with firewall and ad aware SE all installed. I keep getting popups telling me that my AV is ourt of date ( which it isn't) and also loads of other popups about system problems that dont exist. my anti Virus does keep detecting and deleting trojans, but they keep comming back again. I have gone through all the steps you suggest before sending this in, as well as running "combofix" and "vundofix" but the problem just keeps recurring. I have appended both the hijack this and the combofix logs below, I can only hope they mean more to you than they do to me lol.can you help me please?many thanks in antisipationRonLogfile of Trend Micro HijackThis v2.0.2Scan saved at 12:21:27, on 14/01/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:F:\WINDOWS\System32\smss.exeF:\WINDOWS\system32\winlogon.exeF:\WINDOWS\system32\services.exeF:\WINDOWS\system32\lsass.exeF:\WINDOWS\system32\svchost.exeF:\WINDOWS\System32\svchost.exeF:\WINDOWS\system32\spoolsv.exeF:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exeF:\Program Files\Kontiki\KService.exeF:\WINDOWS\System32\svchost.exeF:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exeF... Read more

A:Errsowl.c Trojan And Vundo Trojan Infection?

Welcome to the BleepingComputer HijackThis Logs and Analysis forum. My name is Richie and i'll be helping you to fix your problems.Apologies for the late response,as i'm sure you can appreciate we are extremely busy.If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.If you have not followed the info in the link below prior to posting your log then please do so now:Preparation Guide for use before posting a HijackThis Log:http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/If you still require help,please post a new Hijackthis log into this topic in your next reply.Also post a detailed description of the issues you're experiencing.*Note*Post all reports/logs directly into this topic,not as attachments,thanks.

11 more replies
Answer Match 41.16%

Have picked up a malware problem that is causing IE/Firefox to randomly redirect pages from search engine results page. Redirects occur both out of Yahoo and Google results. Pages are randomly redirected to sites like Toseeka, Shopzilla, Wesearchmaster, etc. Redirect from Google search results seems to occur after browser connects with "googleads.gdoubleclick.net" Tried many Spyware programs including Sbybot & SuperAntiSpyware. Finally, Malwarebytes found and removed Trojan.Agent and Trojan.Vundo but redirect problem persists.Log file of HijackThis follows:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:26:38 PM, on 3/23/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\agrsmsvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\Program Files&#... Read more

A:Trojan.Agent & Trojan.Vundo Infection

Hi,

I will handle your log. As I am in training, all my fixes have to be checked.
I'll get back to you as soon as is possible.

24 more replies
Answer Match 41.16%

Last week I noticed that my cooling fan was running very loudly.  I was concerned that my system would overheat and the computer would stop working permanently.
 
I opened up Task Manager and noticed there were many instances of dllhost.exe *32 running, which was taking up all the CPU power.  I did some further research on the subject and found out that my computer may be infected with two Trojans associated with this:  Trojan.Powelik and Trojan.Adclicker.  I found nothing out of the ordinary after running Norton Power Eraser and a full scan using Norton 360, but while running Malwarebytes I found someone - or something - attempting to gain access through 2 IP addresses:
 
95.215.1.57 and 31.184.192.90.
 
I have blocked both addresses.  Yesterday, Norton found, quarantined and deleted two tmp files associated with Trojan.Powelik:
 
00014365.tmp
00010890.tmp
 
Again, I ran a full scan, Power Eraser and Malwarebytes and thought everything to be normal, but the dllhost.exe *32 issue popped up again last night, making me think that the Trojans are still in the system somewhere.
 
I'd like to get rid of this issue for good, as this computer is one of my main means of communication.
 
Thanks for reading.

A:Trojan.Powelik and Trojan.Adclicker infection

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, d... Read more

23 more replies
Answer Match 41.16%

Hey Guys, Thanks for your help.

I got this laptop because normal windows would not boot up, it only boots up in safemode and has internet connectivity using safemode with networking.

With Eset online scanner I removed a cryptic trojan variant and a downloader variant.

Then I ran a combofix- it said I have zeroaccess virus.. -- I was not able to run it on restart because of the boot up problems

Though I am able to get online.

other background info: because I was first chasing the Windows update error 0x8007043c - I had remove the other 2 virus scanners thinking the conflict between AVG and Mcafee was causing Windows to not start in normal mode.

Where do we get started?

HP Pavilion laptop
Windows Vista - SP1
Malware Malbytes installed as well

A:Infection: trojan - trojan downloader and zeroaccess

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

2 more replies
Answer Match 41.16%

Eset identifies the following threat:
Object: C:\WINDOWS\SYSTEM32\SERVICES.EXE
Threat: Win64/Patched.B.Gen trojan

I've tried Malware Bytes a few times and it identifies Rootkit.0Access but even after rebooting the problem returns.

Eset has also flagged the sirefef.al trojan.

Please note I'm corresponding with you on a different computer, but I have network access to the infected computer and am able to copy log files and software tools back and forth. Your help is greatly appreciated!

The DDS.txt log is here:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Owner at 13:20:06 on 2012-07-24
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8191.6250 [GMT -7:00]
.
AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvc... Read more

A:Patched.B.Gen trojan & sirefef.al trojan infection

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

18 more replies
Answer Match 41.16%
Answer Match 41.16%

I was recommended to post hereThunderZ from the Am I infected forum helped me out a "bunch" and sent me here Topic referenced is here: http://www.bleepingcomputer.com/forums/t/276314/xp-pro-desktop-wont-load/ ~ OBOriginal Post:My laptop will not load the desktop - running Xp Pro Service Pack 3, HP Pavilion dv8000When I start it up it goes through the regular process, reaches the log on screen, after entering password it says it is loading personal settings but only the wallpaper screen showsNo icons, no task bar, no startup programs showingI have tried to open Task Manager but when I enter CTRL+ALT+DEL the Window Security box where you select Task Manager comes up, but when I select Task Manager this box disappears and it doesn't take me to Task Manager. It just stays on the wallpaper screenLet me know if there is any other way to get task manager to open.I have tried going back to a couple of prior restore points, but still same problemSafe mode starts up fine, but i am not real sure of what to try from here to fix problemAny help would be appreciatedHe had me run SuperAntiSpyware and Malwarebytes Anti-malware.It now seems to be starting up ok, but he recommended I still come here to make sure I am 100% cleanDDS logDDS (Ver_09-12-01.01) - NTFSx86 Run by Ron at 10:18:06.26 on 12/06/09Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.292 [GMT -8:00]AV: avast! antivirus 4.8.1356 [VPS 091204-0] *On-acces... Read more

A:(Trojan.Crypt)-(Trojan.Zlob) - Possible infection

Hi,My name is Extremeboy (or EB for short), and I will be helping you with your log.We apologize for the delay of response. If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.For your next reply I would like to see:-The DDS logs---DDS.txt and Attach logs-RootRepeal logs-Description of any remaining problems you may still have.Thanks again and we apologize for the delay.With Regards,Extremeboy

8 more replies
Answer Match 41.16%

When I type a search into a search engine (it doesn't seem to matter which one, i.e., AT&T, Google), a description of an appropriate match for that search term shows up. However the actual address is an advertising address such as monstermarketplace.com, airplat.com, info.com, moxiesearch.com, couponmountain.com. When I click the description, the browser takes me to the advertising destination. The spy sweeper recently found 2 trojans (ldpinch trojan and trojan.gen) which it quarantined, but the problem keeps occurring. I have run 2 virus scans (Computer Associates and McAfee) and Webroot Spysweeper which has supposedly quaratined the infection, but the problem with the search engine continues. When multiple pages of search results appear, pages past the 1st or 2nd will appear with the correct links. Thanks you so much for volunteering your time and energy to help me with this problem. Here is the DDS scan log:DDS (Version 1.1.0) - NTFSx86 Run by HP_Administrator at 15:24:16.51 on Sat 01/03/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.311 [GMT -6:00]AV: Norton Internet Security *On-access scanning enabled* (Outdated)AV: McAfee VirusScan *On-access scanning enabled* (Updated)FW: Webroot Internet Security Essentials *disabled*FW: McAfee Personal Firewall *enabled*FW: Norton Internet Security *enabled*============== Running Processes ===============C:\Program Files\Webroot\Spy Sweeper\WRConsumerSe... Read more

A:trojan.gen and ldpinch trojan recent infection

Howdy, my name is Hoov, and I will be helping you with your dilemma.Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread. Here is what I am asking you to do during the repair of your computer*Tell me everything that you have done, if anything, to try and fix this problem.*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it. *Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try. *Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.Now onto trying to fix your computer. Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes t... Read more

3 more replies
Answer Match 40.74%

Please help me! My Norton antivirus keeps popping up with notifications for trojan.gen, trojan.gen.2 and trojan.zeroaccess. The computer is almost un-useable right now with all the pop-ups.

I am running windows XP 32bit

Thanks in advance!

A:trojan.gen, trojan.gen.2, and trojan.zeroaccess infection

Hello, I moved this to the Am I Infected forum for now.. Please click Start > Run, type inetcpl.cpl in the runbox and press enter.Click the Connections tab and click the LAN settings option.Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.[/b] and click on Run as Administrator.Reboot into Safe Mode with Networking How to enter safe mode(XP/Vista)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode with Networking using the arrow keys. Then press enter on your keyboard to boot into Safe Mode. >>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.Run RKill....Download and Run RKillPlease download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
... Read more

13 more replies
Answer Match 39.9%

I've been attempting to remove the Trojan.Vundo.H infection from a friend's computer for a while now, with no success. I've run Combofix, and have the log files which I will post below.Here is the DDS.txt log file:DDS (Ver_09-05-14.01) - NTFSx86 Run by Owner at 10:28:31.01 on Sat 05/16/2009Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.590 [GMT -5:00]AV: avast! antivirus 4.8.1335 [VPS 090515-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\WINDOWS\system32\dllh... Read more

A:Trojan.Vundo.H/Trojan.BHO.H infection

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_Sca... Read more

2 more replies
Answer Match 39.9%

Hello kind volunteers!

I think I have a trojan on one of our office laptops. Searches are redirecting, and occasionally a box pops up asking for a network password for no apparent reason. Norton picked up something, but apparently didn't kill all of it. MalwareBytes said it fixed some issues, but on restart it still shows an infected registry key, and the searches are still redirecting.

Thanks for any help you can provide!

Here is the DDS log (other log and GMER log are attached):

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Raj at 13:10:23 on 2011-08-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.658 [GMT -5:00]
.
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Progra... Read more

A:trojan infection? (.fsharproj (Trojan.BHO) )

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

12 more replies
Answer Match 39.9%

I have Windows Vista, and i just found out my Spy Sweeper has quarantined Trojan.gen and Trojan-Agent.gen. Although they are quarantined, should i need to worry about them?? Should i delete? [It does not say what file they are in or have infected, just under quarantine list] I don't want to delete and find out that it infected a file i need.

Any help??

A:Trojan.gen And Trojan-agent.gen Infection

Eehm,hello? If it quarantined, then file(s) was lockdown..NO access..They are moved,quarantined,password-protected - if some AV's scan pc they dont found virus...So dont worry.Of course you can delete it by remove button

2 more replies
Answer Match 37.8%

Have been infected with the Trojan.BHO.H virus and Malwarebytes can not remove it! Please help! The contents of my DDS log are as follows:

DDS.txt
DDS (Ver_10-12-12.02) - NTFSx86
Run by Erwin at 10:39:07.72 on Tue 12/28/2010
Internet Explorer: 8.0.6001.18999
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.3060.1555 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\... Read more

A:Trojan.BHO.H infection

Hello and welcome. I apologize for the delay. If you no longer need help with this issue, we would appreciate you letting us know. Otherwise, please perform the following steps so I can have a look at the current condition of your machine. I realize that you have already posted logs, but because of the time that has passed I'd like a fresh set. Please download DDS by sUBs from one of the following links and save it to your desktop.DDS.scrDDS.comDDS.pifDisable any script blocking protection (How to Disable your Security Programs)Double click DDS icon to run the tool (may take up to 3 minutes to run)When done, DDS.txt will open.After a few moments, attach.txt will open in a second window.Save both reports to your desktop.---------------------------------------------------Post the contents of the DDS.txt report in your next replyAttach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD. Download GMER Rootkit Scanner from here to your desktop. Double click the exe file. If asked to allow gmer.sys driver to load, please consent . If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ... IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don... Read more

30 more replies
Answer Match 37.8%

Hi experts,

I was on my laptop using Moxzilla and then my AVG Antivirus told me that there were four Trojans that were infecting my computer. AVG healed this trojans and moved them to the vault. I also noticed that my Windows Defender was disabled. But after, my Moxzilla crashed and when I went to click on it again, and the computer told me that the Moxzilla file couldn't be found. I shut down the computer, and restarted it. As soon as I would enter my password, it would start up normally but then automatically shut off. As of now, I cannot log into my computer, neither in normal mode or safe mode.
I am writing this on my home PC since I can't log into my laptop. I tried using the reinstallation DVD for Windwos Vista Home Premium 32BIT on my laptop but my laptop won't read it!
I have a Mircosoft Windows Home Edition XP Laptop and it is a Dell Inspiron. I bought it back in 2007, so it is an older model.
Please help!!
Thanks.

A:Trojan Infection!!

Hi,

Hopefully you have access to a computer that can burn CD's

We will need to make a BOOT CD

Print these instruction out so that you know what you are doing.

Two programs to download

First

Please download ISOBurner and save it to your desktop. This program will allow you to burn OTLPE.ISO to make a bootable CD.*
Double click the ISOBurner set up icon to install the program, from there on in it is fairly automatic.
There are Instructions for the iso burner here if you need them.

Second

Download OTLPE.iso save it to your desktop. Now burn OTLPE.iso to a CD using ISO Burner. {NOTE: This file is 292Mb in size so it may take some time to download.)

  • When downloaded double click OTLPE.iso > this will then open ISOBurner to burn the file to CD



  • Reboot the infected system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here

  • Your system should now display a REATOGO-X-PE desktop.

  • you will find an icon on the desktop called OTLPE > Double-click on the OTLPE icon.

  • When asked "Do you wish to load the remote registry", select Yes

  • When asked "Do you wish to load remote user profi... Read more

    14 more replies
  • Answer Match 37.8%

    Hello,
    My XP pc has been attacked by trojans, it had the follwing damage as a result:-

    a).Could not connect to the internet.
    b).A flashing WARNING message appeared on my desktop saying that the PC had been corrupted and to run a virus cleaning application.

    I downloaded and ran Malwarebytes and removed the trojans. I then rebooted. This removed the Warning message from my desktop. I also downloaded and ran Winsock fix VB_Winfix 1.2, this reconnected me to the internet. However, I am now finding that when I do a search on Google, it says redirecting and it downloads the infections again. I had tried to restore to a day before the infection but Windows is unable to restore to that day or other days (you press the button and nothing happens),

    Could you please help me with this problem, as I don't know what else to do.

    Thanks and regards,

    David

    DDS (Ver_09-03-16.01) - NTFSx86
    Run by David Jones at 19:05:54.70 on 30/04/2009
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.894.409 [GMT 1:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated)
    FW: ZoneAlarm Firewall *disabled*
    FW: COMODO Firewall Pro *disabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Fi... Read more

    A:Trojan infection

    Hello and Welcome to TSF.

    Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

    Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

    ------------------------------------------------------

    Download RootRepeal.zip to your Desktop and click 'Extract all files' to extract the compressed file to it's own folder.
    Double-click on RootRepeal.exe to run it.
    Click on the 'Report' tab, and then click on 'Scan'.
    A window opens asking what to include in the scan.
    Check the following boxes then click 'OK':
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services You will then be asked which drive to scan.
    Check C: (or the drive your operating system is installed on, if not C:)
    Click 'OK' once again.
    The tool will begin scanning and may take a while to complete, so please be patient.
    When the scan finishes, click on 'Save Report'.
    Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
    Post the log in your next reply.
    ------------------------------------------------------

    19 more replies
    Answer Match 37.8%

    Hey all, my PC is acting up. NOD32 constantly showing messages of trojans such as conedex and sirfef. can't seem to get rid of them. I have:

    -malwarebytes anti malware
    -nod32
    -spyware terminator

    Help please?

    A:Trojan infection

    DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here.If you get crashes in normal mode,run it in safemode with networkingDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

    1 more replies
    Answer Match 37.8%

    Hi, I recently discovered in my school that my flash drive was infected with trojan. The antivirus at school was Faronics. However, in my place Malwarebytes and MSE did not discover anything. My question is: Did Malwarebytes not detect that trojan? Is my computer possibly has an infection that Malwarebytes did not detect? If so, it is now possible than my computer, external hard drive are infected as well? I plugged in the flash drive to another computer as well.
     
     
     
    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16563  BrowserJavaVersion: 10.67.2
    Run by Gav gav at 8:12:35 on 2014-08-15
    Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.3325.1960 [GMT -7:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Intel\AMT\LMS.exe
    C:\Windows\system32\taskeng.... Read more

    A:Possible trojan infection

    Please run the following:Please download the appropriate version of Farbar Recovery Scan Tool (FRST.exe) from here:http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ (for 32bit systems)http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ (for 64bit systems)save it to your desktop.Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.NEXTPlease download aswMBR.exe and save it to your desktop.Double click aswMBR.exe to start the tool.When asked if you want to download Avast's virus definitions please select Yes.Click ScanUpon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet. You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

    20 more replies
    Answer Match 37.8%

    I've got a bad infection and would really appreciate any help!

    Relatively new HP dm4t running the latest Windows 7 Home Premium with Symantec Endpoint Protection (SEP). It's quarantined a bunch of trojan files and Bloodhound.PDF.20 files, all found in my appdata\local\temp folder.

    I will often get bursts of alert notifications from endpoint that a trojan was attempting to access a file in the temp folder. The action reads: "pending side effect analysis, access denied". Hundreds of these can pop up in an hour.

    I've attached my SEP quarantine log and an image of the kind of notification I keep getting.

    The DDS event viewer log is riddled with errors, including Symantec crashing.

    Symptoms include:
    -virus attempting to access files
    -slow performance
    -freezes and crashes
    -very slow boot time
    -frequent failure to boot (have to do a hard restart several times to get login screen)
    -a couple internet crashes
    -an instances where symantec-related sites and this site (techsupportforum) would not load though other sites loaded fine
    -an instance where proactive threat support was turned off because "virus database wasn't up to date" and no amount of updating would fix it (had to uninstall and reinstall SEP)

    Things I've tried:
    -Running full scans with SEP (nothing found)
    -Running full scans in safe mode, and safe mode thru command prompt (nothing found besides a tracking cookie)
    -Once I tried deleting the files it said the trojan was tryin... Read more

    More replies
    Answer Match 37.8%

    A friend sent me a couple of attachments (one .exe file). The .exe appears to have a couple of trojans associated with it according to AVG.

    Internet Explorer not always opening web sites and computer running slower.... Followed instructions on cleaning computer and IE 8 troubleshooting.

    I'm thinking that something is running in the background as I experienced none of these problems before running the .exe file.

    Thank you.

    ___________________________
    DDS (Ver_09-09-29.01) - NTFSx86
    Run by Scott at 11:32:43.73 on Mon 10/05/2009
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2045.1097 [GMT -5:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\RioMSC.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.E... Read more

    A:Possible Trojan Infection(s)

    Anybody out there?

    9 more replies
    Answer Match 37.8%

    My daughter's laptop appears to be infected with multiple things. First, trend micro detected troj vb.cxl. Also, she has a blackscreen that says in red letters Warning! spyware threat has been detected on your pc. It continues with some other info andgives an ip address. I think there are some other issues and here is the hijackthis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:27:57 AM, on 12/21/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC: ... Read more

    A:Trojan Infection?

    Welcome to the BleepingComputer HijackThis Logs and Analysis forum coachbobMy name is Richie and i'll be helping you to fix your problems.Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546You are well advised to remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:ViewpointViewpoint ManagerViewpoint Media PlayerYour version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest version of Java Runtime Environment (JRE)2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.3. Click the "Download" button to the right.4. Check the box that says: "Accept License Agreement".5. The page will refresh.6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.7. Close any programs you may have running - especially your web browser.8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.10. Click the Change/Re... Read more

    29 more replies
    Answer Match 37.8%

    My Avira Antivir keeps notifying me of a TR/Dldr.Agent.htx.1 Trojan in my system. I've just finished scanning with Malwarebytes and nothing came up. This notification pops up every 5 minutes or so. Help please!

    A:Trojan Infection. Help please!!!

    Hello, Are you runnning XP or another?Please run the tool here How to remove Google RedirectsWhen it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.Rerun MBAM (MalwareBytes) like this:Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan (normal mode).After scan click Remove Selected, Post new scan log and Reboot into normal mode.

    10 more replies
    Answer Match 37.8%

    Hello everyone. I'm using Vista SP2, by the way. Alright, I was doing a routine scan with MalwareBytes and it had found three infected files. Two were adware created by PopCap. I delete those. The third one was far more troubling, however. The file was located in C:\Users\AppData\Local\Temp\svchost.exe. MBytes detected it as a trojan agent. After allowing it to delete the files and restarting to complete said process, I found yet another suspecious file in the temp folder. This one was named "ajx.bat". Apparently, this file is part of a trojan named "BackDoor-AJX". McAfee has an article on it (http://vil.nai.com/vil/content/v_99661.htm) and the files the malicious program it creates. But, I didn't find any of the infected files on my computer. My fear is that the trojan is still lurking on my system. So, I've done an HJT scan. Here's my log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:22:12 AM, on 12/22/2009
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18865)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files (x86)\McAfee Security Scan\1.0.150\SSScheduler.exe
    C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe
    C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Java\jr... Read more

    More replies
    Answer Match 37.8%

    I have some Trojans keep showing up when I do scans. I tried to do the GMER Scan but my computer kept crashing every time I ran the scan then running really slow on start up. Please help.Thank you.

    .
    DDS (Ver_2011-06-03.01) - NTFSx86
    Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_24
    Run by ShaneP at 11:04:07 on 2011-06-06
    Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3061.727 [GMT -5:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\... Read more

    A:Trojan Infection

    Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
    Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
    If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
    In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

    15 more replies
    Answer Match 37.8%

    Hi,

    I recently came across a fake windows security pop up saying I should run a virus scan etc, while I was getting a 100% cpu usage from the avg .exe's.

    I did a virus scan with mbam and it removed over 150 infections. I also uninstalled avg and reinstalled it.

    The 100% cpu has ceased but I am now getting other problems. Everytime I start up windows I get a windows error message saying "Sunbelt firewall service encountered a problem and needed to close" and it fails to start up. And on my guest account (probably where all the infections came from), I am unable to load any webpages using IE, even though it works on my main account. I am getting the error - res://ieframe/dll/dnserror.htm

    Could you please help me in fixing my problem as I still believe I am infected.

    A:Possible Trojan Infection

    Hello and welcome to BC.Please download TFC by Old Timer and save it to your desktop. alternate download linkSave any unsaved work. TFC will close ALL open programs including your browser! Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator. Click the Start button to begin the cleaning process and let it run uninterrupted to completion. Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.Rerun MBAM (MalwareBytes) like this:Open MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan (normal mode).After scan click Remove Selected, Post new scan log and Reboot into normal mode.Next run SAS:Please download and scan with SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then... Read more

    8 more replies
    Answer Match 37.8%

    Hi there,
    after using my girlfriend's laptop, I noticed it randomly plays soundclips at intermittent intervals. These clips aren't stored on the laptop, one was a commercial for a BMW and another was a recipe for mac and cheese!

    I switched off all the sounds and still they play. I've had a scout around and I'm told this is possibly a trojan infection. Any and all help would be greatly appreciated on this.

    dds:


    DDS (Ver_09-09-24.01) - NTFSx86
    Run by The Goonies at 16:21:48.38 on 26/09/2009
    Internet Explorer: 7.0.6002.18005

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.uk/
    uURLSearchHooks: H - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: D: {334b5227-d99d-38a9-8c7a-fc553cdd0848} - c:\windows\system32\cy37722.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [UniblueSpeedUpMyPC] c:\program files\uniblue\spee... Read more

    A:Trojan infection

    Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

    Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

    Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

    ---------------------------------------------------------------------------------------------

    Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

    Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

    Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

    ---------------------------------------------------------------------------------------------

    Please visit this webpage for download links, and instructions for running combofix:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    ... Read more

    2 more replies
    Answer Match 37.8%

    Every time I run Malwarebytes Anti-Malware software, it says it finds a Trojan in the file C:\Users\Sarah\AppData\Local\Temp\low\COUPON~1.DLL and supposedly quarantines and deletes it. However, I have run the software multiple times and it still pops up every time. I tried to locate the file myself and of course couldn't find it. My laptop's been running a little slow, so I backed up most of my files to external memory, but I haven't seen much of a difference. I also don't know if it has been affected by the virus, but the touchpad below my keyboard acts up and is either sluggish or random.

    DDS (Ver_10-12-12.02) - NTFS_AMD64
    Run by Sarah at 16:10:34.99 on Thu 02/17/2011
    Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_22
    Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.4057.1668 [GMT -5:00]

    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Wi... Read more

    A:Trojan.BHO.H Infection

    Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

    15 more replies
    Answer Match 37.8%

    Hi,

    I already run ad-aware scan with VX2cleaner, Spybot S&D, a virus scan by TrendMicro (found over 16000 infected files(trojan) in c:uploads,can't fixe all of them) and finally another virus scan by pandasoftware (found over 5000 trojan infected files all has been fixed, and 42 adware not fixed). This is ny HiJackThis log for now...

    Logfile of HijackThis v1.99.1
    Scan saved at 19:47:06, on 2005-09-13
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    c:\program files\Hema-Quebec\Client RPV\cvpnd.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe ... Read more

    A:Trojan infection, plz help...

    Hi and Welcome
    It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

    Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes..


    Turn off System Restore instructions (WinXP)
    Rightclick My Computer | Properties | System Restore | check ?Turn off System Restore?, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

    SHOW HIDDEN FILES AND FOLDERS.
    To show hidden files instructions (WinXP)
    Doubleclick My Computer | Tools | Folder Options | View tab
    Select Show Hidden Files and Folders
    Uncheck Hide extensions for known file types
    Uncheck Hide protected operating system files (Recommended)
    Select Apply to All Folders | Yes | Apply | OK
    ------------------------------------------------------------------


    Files highlighted in BLACK will need to be removed from your hard drive.

    Folders that have been highlighted RED will need to be uninstalled.

    ------------------------------------------------------------------

    Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode and then run "Hijack This"
    ------------------------------------------------------------------

    Uninstall the following programs (if they still exist... Read more

    17 more replies
    Answer Match 37.8%

    I use tiscali (now talktalk) to connect to the internet, but the computer behaves as if tiscali was not connected. When I check this, it says that tiscali is connected. I cannot send or receive emals, and I cannot use google or anything else that requires the connection. The only thing I can do is to switch the computer off and on again. This does not always work, and sometimes I have to switch it off 2 or 3 times. When it does eventually work, I can use emails, google and every thing else as usual, but (1) it is very slow, and (2) it doesn't last. It crashes when I am using it and sometimes when I leave the computer for a few minites and return. AVG has found several viruses, and there are 2 Trojans which it says are inaccessible, namely
    c:\windows\system32\sychost.exe\1284):\memory_001a0000 and
    c:\windows\explorer.exe(148):\memory_001a0000
    The AVG Resident Shield often finds a virus JS/Redir.AX, with 'more info'
    http://free.AVG/ww.virbase-appf10?ID...YTc1Yzg1MTAwMA
    I choose the first of the 3 options Move to vault, Go to file, It always quarantines the file successfully, but it doesn't stop it recurring.
    When I switch the computer on, a message appears briefly, saying 'Unable to start driver for hpoipm07.exe(hpoipm07.exe)'.
    That's about all I can tell you, but if the problem gets any worse, I may not be able to receive your reply.


    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Admin at 9:03:02.76 on 10/04/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows... Read more

    A:Trojan infection

    Hello, Welcome to TSF.
    I'm nasdaq and will be helping you.

    You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

    Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix.

    Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

    If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

    Please ensure that you follow the instructions in the order I have them listed.

    Please do not install or uninstall any programs, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.
    ===

    Your Hosts file was corrupted. Try to restore the original file first.
    If you'r not able right now continue with the fix below and do this at the end of the fix.

    Go to: HostsXpert v4.3
    Download the program HostsXpert to restore the default hosts file back onto your machine.
    Unzip the program and execute it.
    Select
    "Restore MS Hosts File".
    Close the application.
    =*=

    Run this tool to stop the bad processes.

    There are 3 different versions. If one of them won't run then download and try to run the ot... Read more

    19 more replies
    Answer Match 37.8%

    Hi!I realy hope someone can help me here!I have Vista OS.Tomorrow i just sitting by my computer and suddenly recognised this strange event: my computer has connected to the internet by itself, automaticly! I always log in to my ISP manualy, auto connect is disabled, so im sure its some kind of trojan infected my PC! Could it be a dialer or a backdoor? I checked my firewall log and i found these strange network connections: "Teredo Tunneling Pseudo-Interface" -these never appeared before. Can it be that the trojan uses this connection to backdoor to a remote computer?Here are my antispyware scan results:Anti-malware:Infected registry values:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ati2sgav (Trojan.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updater (Backdoor.Bot) -> No action taken.Infected registry entries:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digest32.dll -> No action taken.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: snapapi32.dll -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopCha... Read more

    A:Various trojan infection

    Hello and Yes that is what is happening. The malware is connecting and sending information back out.One or more of the identified infections is a backdoor trojan.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

    3 more replies
    Answer Match 37.8%

    Hi, I have Vistax64 HP. I use Avast antivirus, and when i scan, it comes up that I have a trojan in both C:\hiberfil.sys and C:\pagefil.sys. I didn't know if I could just delete these files, or if that would be a bad idea since I know they are legit windows files. Any suggestions for getting rid of this virus?

    A:Need help with a Trojan infection

    go here and scan and clean your system:
    free scan and cleaning /no download

    NOD32 antivirus/antimalware
    Free Virus Scan: Use ESET's Online Antivirus Scanner

    2 more replies
    Answer Match 37.8%

    Hi, I have 2 computers that have detected trojans on them. Shall I post both in this thread?
    I'll start with the laptop. While using firefox Comoto firewall will popup up an alert that SynTPEnh.exe is trying to modify the program and could be a trojan. Here is my HJT log:

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 8:22:34 AM, on 11/20/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Dell Network Assistant\hnm_svc.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\Program Files\Common Files\InstallShield\U... Read more

    More replies
    Answer Match 37.8%

    Hello today my computer seems to have downloaded some sort of malware and i really need help removing it. I ran malwarebytes but it only seems to have partly removed the infection.

    A:Possible trojan infection

    Hello,please post that MBAM log so I cann see what it found.The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.Now...Reboot into Safe Mode with Networking How to enter safe mode(XP/Vista)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode with Networking using the arrow keys. Then press enter on your keyboard to boot into Safe Mode. >>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.RKill....Download and Run RKillPlease download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

    Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
    Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Admin... Read more

    14 more replies
    Answer Match 37.8%

    I started getting the 'An Unauthorized change was made to your license' error message some time ago but I ran a System Restore and it worked fine. Couple of days ago I had a trojan alert from windows defender. It was 'antivirus pro 2009' virus and I read some forums, downloaded Malwarebutes' Anti-Malware and it seemed to have fixed it. However, after I rebooted the system I got the 'An unauthorized...' message again which seemed really strange to me. When I run Malwarebytes it shows me Trojan.Zlob.H, Trojan.Agent, Trojan.Downloader, Hijack.Regedit, Hijack.FolderOptions. Also I was getting errors for the automatic windows update which I was just about to search how to fix before all this happened. I have little knowledge on how to fix this, I pre-installed vista about 2 months ago after having some issues and I have know idea how to fix it now.

    Any help will be appreciated.



    DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
    Run by Krum Dukin at 20:47:23.75 on Mon 04/20/2009
    Internet Explorer: 7.0.6000.16809
    Microsoft? Windows Vista? Home Basic 6.0.6000.0.1252.1.1033.18.1022.527 [GMT -4:00]

    AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated)

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:... Read more

    A:trojan infection

    bump

    6 more replies
    Answer Match 37.8%

    Hello, I have been getting help in another forum and wad directed to come here: If helpful here is a link to the thread: http://www.bleepingcomputer.com/forums/t/218648/cant-remove-unknow-registry-entry/DDS logDDS (Ver_09-03-16.01) - NTFSx86 Run by admin at 15:43:09.12 on Thu 04/16/2009Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.345 [GMT -4:00]AV: COMODO Antivirus *On-access scanning enabled* (Updated)FW: COMODO Firewall *enabled*============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\Program Files\Comodo\COMODO Internet Security\cmdagent.exeC:\WINDOWS\system32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\lxczcoms.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\System32\alg.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lexmark 1200 Series\lxczbmgr.exeC:\Program Files\Comodo\COMODO Internet Security\cfp.exeC:\Program Files\Lexmark 1200 Series\lxczbmon.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\admin\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemDefault_Search_URL = hxxp://www.google.com/ieuInternet Settings,Pro... Read more

    A:Trojan Infection

    I hope this doesn't mess up my turn in line, but Comodo A/V on access scanning has finally started to recognize the virus. I know I am not supposed to make any changes so I just quarantined them for the time being. It also has given it a name if that is helpful [email protected]

    16 more replies
    Answer Match 37.8%

    I am running Windows 7 and have an infection that has blocked a large part of my harddrive, all my desktop icons are gone as well as 'my favourites' web pages. It even tried to block my access to TGS web pages saying Microsoft has determined the site has malaware problems (sic)
    I keep getting pop ups saying critical hardrive problem, etc, etc
    A program (usually 6 or 7 random numbers.exe is trying to access the web. I have blocked this with my AVG.
    Task Manager shows many 'attrib.exe' entries, which I delete but they return. I have tried to shut down 'csrss.exe', I am blocked from doing this.
    After a few times showing the bogus errors I will get a 'delayed write warning' to a system32 file. If I close this then my computer shuts down.
    Here is my HiJack This file:
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:07:22, on 30-Apr-11
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16766)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    D:\Programme Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    D:\Progr... Read more

    A:Bad Trojan Infection

    Hi All,
    Can anybody help with this?
    Many thanks
    Toscar
     

    1 more replies
    Answer Match 37.8%

    Hi, I currently believe that there is a virus/infection on my computer, due to many problems. It all started yesterday, when a virus scan came up with 1 problem, which was a hacktool.rootkit. A few hours later another scan was ran, and that didn't show up, this time 6 or 7 problems appeared, which all had Trojan in the description. On the last and most recent scan, these Trojans did not show up either, however a total of 46 problems appeared, mainly all of them were adwares. My computer is increasingly slow, and I'm not sure what to do. I downloaded and ran DDS, which worked fine and will be attached. However, the GMER did not work. It either "stopped working" the first two tries, and after that, midway through the scan my screen would go blue saying windows has shut the computer down for security purposes. I am running Vista.

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by family at 12:10:25.97 on 09/07/2010
    Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_11
    Microsoft? Windows Vista? Home Premium 6.0.6000.0.1252.2.1033.18.1918.910 [GMT -4:00]

    AV: Norton Security Online *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    SP: Norton Security Online *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
    FW: Norton Security Online *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    ============== Running Processes ===============

    C:\... Read more

    A:Trojan/Infection

    Welcome to TSF :)

    Please download Malwarebytes' Anti-Malware from Here.



    Double Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    If an update is found, it will download and install the latest version.
    Once the program has loaded, select "Perform Quick Scan", then click Scan.
    The scan may take some time to finish,so please be patient.
    When the scan is complete, click OK, then Show Results to view the results.
    Make sure that everything is checked, and click Remove Selected.
    When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    Copy&Paste the entire report in your next reply.


    Extra Note:



    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


    ====================================


    Download OTL.exe to your desktop.
    Double-Click on OTL to run it.
    When the window appears, underneath Output at the top change it to Standard Output.
    Under the Standard Registry box change it to All.
    Under Custom scan's and fixes section paste in the below in bold


    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s ... Read more

    4 more replies
    Answer Match 37.8%

    I have a Toshiba laptop with a built in web cam that works when I am not on the internet. Once I get online, the camera will not work anymore and says that it is locked by another program. I thought that there might be another program running so I ran Spybot in safemode to see if anything would come up. When spybot was scanning, I could see that it was scanning through coolwww, however it did not detect it nor try to delete it. I have ran hijackthis and here is the log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:01:56 PM, on 2/21/2009Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v8.00 (8.00.6001.18241)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Camera Assistant Software for Toshiba\traybar.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXEC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\RtHDVCpl.exeC:\Program Files\Toshiba\ConfigFree\NDSTray.exeC:\Program Files\Toshiba\Power Saver\TPwrMain.exeC:\Program Files\Toshiba\SmoothView\SmoothView.exeC:\Program Files\Toshiba\FlashCards\TCrdMain.exeC:\Program Files\Apoint2K\ApMsgFwd.exeC:\Program Files\Toshiba\Utilities\KeN... Read more

    A:Trojan Infection

    Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for p... Read more

    12 more replies
    Answer Match 37.8%

    My apologies in advance for this book:My wife's avast! detected two infected files in with her temporary internet files, and recommended that she move them both to the virus chest, which she did. She was surfing some lawschool outlines website beforehand, and clicked on a few links, but didn't download any files or anything. After moving the infected files to the virus chest she found IE was locked up, so she ended the task from the task manager. She then launched IE and cleared out all of her temp. internet files just to be on the safe side. This is the point at which the pop-ups started. It seemed like we were getting a couple every 5 minutes or so. I came in & closed the pop-ups and browsed through the active processes to see if there were any that were unfamiliar or suspicous. I found one called GetModule30.exe, and after stopping the process, our pop-ups seemed to stop. I went ahead & ran regedit & deleted the key for it in the "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run\", it didn't seem to show up anywhere else. I found the .exe file in "C:\Program Files\GetModule\" and deleted it as well. At this point all hell seemed to break loose. IE wasn't even open & all of a sudden there were 3 IE windows with a growing number of tabs in them, at least 15+ on each window. I managed to get them all closed, and then disabled the wireless connection. At some point in all this ... Read more

    A:Trojan Infection - Many Pop-ups

    Hi rysheki,Please download ComboFix from Here or Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**Please, never rename Combofix unless instructed.Close any open browsers.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.Close any open browsers.WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.If there is no internet connection after running Combofix, then restart your computer to restore back your connection.Double click on combofix.exe & follow the prompts.When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**Open Hijackthis,Click Config | Misc... Read more

    11 more replies
    Answer Match 37.8%

    Hi all.

    Just last night AVG scanned and found another trojan. Three of them are in the System Volume information tab but I can't get access even after I followed a microsoft guide. The other is in a windows file causing me to get an error message on startup:

    C:\WINDOWS\dmswmd.dll the specified file could not be found.

    As of last night I had a sudden onset of problems. My pc was extremely slow, internet explorer only worked on the first tab and AVG detected this last trojan. I tried to do a system restore but there was only one restore point (for earlier on the day when the new trojan was detected). All my other restore points were gone (I hadn't checked but I set it to use as much data as it wanted and apparently there were no other restore points ever but May 12th...) Downloaded Avira which found 3 more trojans. When I rebooted it takes ages to load if it loads at all and internet explorer has set facebook has the homepage (and only accessible page) and this cannot be changed...

    I don't really know what to do. I will do a system reboot if necessary but it will require me to back up 120 gig or so of data onto a hard disk which will probably take hours given the state of my pc I don't understand how this happened so quickly to be honest - my PC is barely starting now and the old blue XP toolbar thing looks like the old windows grey one.

    I appreciate this isn't ideal but give me a shout for more info - I'll do my best.

    Many thanks!

    A:Trojan Infection

    System Volume Information...is the folder where System Restore info is found.

    If malware is contained in that folder, then it means that your System Restore is compromised and I would think it best to turn off SR (to eliminate the contents) and then turn it back on again (to start anew).

    I will move this to the Am I Infected forum where you can obtain some guidance and a closer look at your system will be taken.

    Louis

    1 more replies
    Answer Match 37.8%

    I downloaded a torrent, and turns out, that torrent contained a trojan. McAfee rooted it out, and deleted it, and I had Windows defender stop all changes to my system. But I found a program that was taking up 600 MB of my hard drive space called Outerinfo and I'm still wondering if I have a infection or not. Could you take a look at my HijackThis log and see if I have something, because that
    Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    looks kind of suspicious.If I do have something, can you tell me the best way to remove it?

    HijackThis Log:======

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 7:35:04 PM, on 11/19/2007
    Platform: Windows Vista (WinNT 6.00.1904)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Users\Hansen Qian\AppData\Roaming\Google\Google Talk\googletalk.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\McAfee\Comm... Read more

    More replies
    Answer Match 37.8%

    A couple of days back Google Chrome - my default web browser - inexplicably stopped requesting webpages. No traffic coming from the app at all, which was working fine up to this point. I removed it and installed again but no difference.

    Ran AVG free 8.5 which picked up a trojan virus in System Volume Information. Couldn't remove it.

    Tried System Restore back to a point prior to when the Chrome browser stopped working. System Restore doesn't work.

    After this failed restore I ran AVG again and this time it didn't pick up any trojans or any virus at all.

    Sygate Personal Firewall now picks up IExplorer trying to connect to a 'gusmon.net' -> ip address 222.170.127.100 which is Chinese address. IE was apparently requested to do this by wmiprvse.exe so I'd say the Trojan has infected my system files.

    Yesterday it was trying to connect to 'tolule.net'.

    spybot snd doesn't detect anything either

    any clues for resolution?

    A:trojan infection

    blocked traffic with Chinese ip addresses & now discovered the Trojan seems to be disguising it's traffic as arbitrary applications e.g. HijackThis, Firefox, java, etc.

    also using the url somemon.net

    6 more replies
    Answer Match 37.8%

    Hi all,I have avast av, malwarebytesantispyware and superantispyware installed and scanned with each of them three times with trojans showing up each time. The last scans came up clear but I thought a hjt scan was warranted to be sure. I know very little about what is shown so hoping somebody here can help me with the attached hjt log. Txs for any help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:20:04 PM, on 10/04/2010Platform: Unknown Windows (WinNT 6.01.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:C:\Program Files\Alwil Software\Avast5\AvastUI.exeC:\Windows\Samsung\PanelMgr\SSMMgr.exeC:\Program Files (x86)\uTorrent\uTorrent.exeC:\Program Files (x86)\Mozilla Firefox\firefox.exeC:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:google.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.c... Read more

    A:trojan infection

    Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

    14 more replies
    Answer Match 37.8%

    Hello,

    During a freeware install I think I got hit by a Trojan; I scanned the files with Norton beforehand and it found nothing, but during the setup the hourglass took too long so I checked the services and noted multiple instances of setup running. I killed them, checked winpatrol and saw that a number of Microsoft services had been started at the same time along with a large number of hidden files being created. I ran ESET, Norton, and mbam - ESET found the hidden files and mbam found one other file, all listed as Trojans; these were quarantined and deleted. I used TFC to clean my temp files. I also used WinPatrol to terminate/disable the new services started.

    I completed the preparation instructions (defogger, dds) with the exception of GMER, which I ran but which terminated with an error.

    Thanks in advance for any assistance you can provide.

    Scott

    ============== DDS Logfile =============================

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by Scott Erwin at 23:28:17 on 2011-11-15
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3546.2593 [GMT -7:00]
    .
    AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:&#... Read more

    A:Trojan Infection?

    Hi,Please do the following:Please download aswMBR to your desktop.Double click the aswMBR.exe icon to run itWhen asked if you want to download Avast's virus definitions please select Yes.Click the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

    12 more replies
    Answer Match 37.8%

    hi... i'm having some problems with my computer. first of all, today when i had done the following; i found out that a guest is already there in my computer:* open run, enter cmd as usual* enter "net user"this resulted as a guest called: support_388945a0.i have managed to clean it, by doing net user support_388945a0 /delete.i have no idea whether this kind of problem in a computer creates huge problem, or not? well, but i have doubts since i think this would happen again.anyway, this was the first story. the main problem is that, now in my computer there is a trojan called A0031732.exe as my anti-virus program detected. it is not cleanable. now the program moved it to a quaratine file. so i scanned my computer this time with "a square". it found out 240 files that are better to be cleaned. but there is no improvement in A0031732.exe. it is still there. morover, recently, i am suffering from the unwanted pop-ups and my computer is slower than usual. well, i am asking, what is happening? and what can i do? i think i have to send you a "hi-jack-this" file first. if you tell me how, i can. thank you very much...

    A:Trojan Infection

    anybody out there? ...

    3 more replies
    Answer Match 37.8%

    I've been recently having a Trojan keep popping up. I'm not sure if I got it. My antivirus picked it up but, it showed up again. Thanks if you guys can help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:08:00 PM, on 12/26/2009Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.18828)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\DellTPad\Apoint.exeC:\Windows\OEM02Mon.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Windows\System32\WLTRAY.EXEC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Dell\MediaDirect\PCMService.exeC:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Dell Support Center\bin\sprtcmd.exeC:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXEC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\MagicDisc\MagicDisc.exeC:\Program Files\Windows Media Player&#... Read more

    A:Trojan Infection

    Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No inp... Read more

    2 more replies
    Answer Match 37.8%

    Hello all,
    since a couple of days I have had some problems with a trojan horse (I think). I keep getting pop-ups at my desktop, sometimes 10 in half an hour. My antivirus blocks the pop-ups but still it seriously bugs me. Normally I'm very carefull with my computer, it's the first serious infection I've had in a long time. I have no idea where it came from. I only use my regular sites for downloading etc and I've never had any problems with them.

    I had AVG anti virus running together with malwarebytes. The both detected something (Generic"something".QAY) but couldn't delete it or place it in the vault. And afterwards they didn't detect it anymore (but the problem remained). Since then I changed my antivirus from AVG to Avast and from Avast to NOD32 but they all reacted the same.
    Then as a last restort I tried running Combofix in safemode but it won't run.. The primary loading screen comes up but just before it finishes my laptop reboots like nothing happened.

    Here are my logs from DDS & gmer. During the scan I got a warning about rootkit activity. Windows 7 came pre-installed at my laptop so I don't have a BOOT CD. I do have a seperate recovery HD.
    Thank you!

    DDS:
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Tom at 16:50:49,19 on do 14/04/2011
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.32.1043.18.3253.1999 [GMT 2:00]
    .
    AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
    SP: ESET NOD32 ... Read more

    A:Trojan Infection (pop-ups)

    Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean!
    Please do not run any scans or install/uninstall any applications without being directed to do so.
    Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
    Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

    It looks like you've run ComboFix on this PC. While you may see ComboFix being used quite often, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool) Going forward, I highly recommend you heed such instructions. As explained in Post 2 of our pre-posting topic...


    Quote:




    Why we don't ask you to run ComboFix from the onset

    As stated by the author of ComboFix:

    ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

    We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for at... Read more

    9 more replies
    Answer Match 37.8%

    hie experts,
    need ur help.

    my pc jus got infected wit sum kinda trojan.. n evn tho' my e-trust antivirus detects n cures it.. i keep on getting d trojan alerts fr time to time..
    so plzz help me out


    fr ur reference.. here is d hijackthis report,


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:05:13 PM, on 1/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\wfxsnt40.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\CA\ETRUST~1\realmon.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
    C:\Program Files\CA\eTrust Antivirus Gateway\Bin\ControlCenter.exe
    C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\M... Read more

    More replies
    Answer Match 37.8%

    I started cleaning my system this weekend. It's not clean yet. On saturday, ESET found a trojan/backdoor/downloader and cleaned it. Windows Malicious Software Removal Tool found and removed a trojan. Today, Loaris found Trojan-Downloader.Win32.FraudLoad.vrfe and removed. Below are my DDS scans and attachments. Thanks in advance for your help.

    .
    DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.1.0
    Run by DBrown at 14:01:08 on 2011-11-01
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2972.1655 [GMT -4:00]
    .
    AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32�... Read more

    A:Trojan Infection

    Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/425904 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

    2 more replies
    Answer Match 37.8%

    Well I was using my P2P program and downloaded a game. Stupid me, right? yes. Very. Very. Very stupid.
    I should have learned my lesson by now.

    Anyways. It was a bittorrent file...and once it completely finished transferring, my AVG popped up with 3 possible Trojan threats.
    The exact name it gave me was "Trojan horse Dropper.Small.29.BU"

    I want to stress though that I DID NOT click on the game file from the torrent. I didn't even click on the folder. I TOUCHED NOTHING.
    All I did was immediately click "remove infections" on AVG. One of the three was deleted, but the other two said "object inaccessible."

    So from there..I deleted my P2P program..the bit torrent file..and then of course the folder with the "game" in it. And removed them all from my recycle bin.
    I then went back to AVG to try and delete the two once more, but it's still saying "Object inaccessible."

    My computer isn't acting weird..I'm scared to restart though

    What are my chances that I'm infected since I didn't even touch the files? I immediately deleted them. NOTHING was opened.

    Give me good news guys..please. lol

    A:Trojan? Possible infection? HELP PLZ!!

    Well after deleting all the files that could have been associated with the torrent..
    I ran my AVG again and it's showing zero infections.

    Is that a sure bet though? I'm still pretty scared..because earlier it said "object inaccessible."

    It's calming to see "0 infections found."

    But I'm still worried.

    Can anyone help me out?

    thanks a bunch.

    1 more replies
    Answer Match 37.8%

    I believe i have a hidden Trojan in the background maybe even a rootkit heres the dds.txt ?DDS (Ver_10-10-10.03) - NTFSx86 Run by rff at 9:02:30.92 on Sat 10/16/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2152 [GMT 1:00]AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}============== Running Processes ===============C:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exesvchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Sandboxie\SbieCtrl.exeC:\WINDOWS\system32\ctfmon.exeC:\DOCUME~1\rff\LOCALS~1\Temp\Rar$EX00.906\Core Temp.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Sandboxie\SbieSvc.exeC:\Program Files\Avira\AntiVir Desktop\avshadow.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Sandboxie\SandboxieRpcSs.exeC:\Program Files\Sandboxie\SandboxieDcomLaunch.exeC:\Program Files\Opera\opera.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\rff\Desktop\dds.scrC:\Program Files\Sandboxie\SbieSvc.exe============== Pseudo HJT Report ===============uStart Page = hxxp:... Read more

    A:Trojan infection ?

    Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

    2 more replies
    Answer Match 37.8%

    Dear Sirs
    I do hope you can help me.
    I have a trojan that my AVG HAS ALERTED ME TO.
    It seems to have affected the AVG as it wont run properly now nor will it update.
    My IE7 now also sends me to random websites and alot of adverts are poping up. I did heal them using the anti virus but now it wont detect them nor update which is worring me. I need to use firefox on my university site and this also worries me as i think it is a security threat or am i just talking nonsense.

    Kindest Regards Pete

    Having Read the Terms and Conditions i think you need this info.

    DDS (Version 1.1.0) - NTFSx86
    Run by Peter Powell at 14:59:37.36 on 29/12/2008
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
    Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.44.1033.18.2038.1015 [GMT 0:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\... Read more

    More replies
    Answer Match 37.8%

    My computer has been acting funny lately including slow performance, slow web page loading, program hangs, etc. Alot of shut down and restarts. Anyway, I ran combofix as that was prescribed for me previously when I have had problems and it has run with no problems. It showed a file it deleted which is linked to "real.spy"

    Combo fix log was:

    ComboFix 13-02-24.01 - Greg 02/24/2013 17:37:12.11.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8140.5294 [GMT -5:00]
    Running from: c:\users\Greg\Desktop\ComboFix.exe
    AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\096BB4FEF9.sys
    c:\users\Greg\AppData\Local\Temp\_MEI58802\_ctypes.pyd
    c:\users\Greg\AppData\Local\Temp\_MEI58802\_elementtree.pyd
    c:\users\Greg\AppData\Local\Temp\_MEI58802\_hashlib.pyd
    c:\users\Greg\AppData\Local\Temp\_MEI58802\_socket.pyd
    c:\users\Greg\AppData\Local\Temp\_MEI58802\_ssl.pyd
    c:\users\Greg\AppData\Local\Temp\_MEI58802\pyexpat.pyd
    c:\users\Greg\AppData\Local\Temp\_MEI58802\pysqlite2._sqlite.pyd
    c:\users\Greg\AppData\Local\Temp\_MEI58802\python26.dll
    c:\users\Greg\AppData\Local\Temp\_ME... Read more

    A:trojan infection

    6 more replies
    Answer Match 37.8%

    Hi again and Happy Thanksgiving!

    Windows XP SP3
    Dell Dimension

    So apparently Trojans are running rampant with Windows XP even with MSE running real time protection.

    I first noticed multiple tasks running such as csrss.exe and a couple of others. Updated and ran SuperAnti Spyware and it found Trojan.Agent/Gen-PWS. I quarantined the trojan and have deleted it. What are my next steps?

    A:Another Trojan Infection

    Hello and Happy Thankgiving. Please also run these. I will be in and out today with the holiday.Please DownloadTDSSkillerLaunch it. Click on change parameters-Select TDLFS file system Click on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan results.ADW CleanerPlease download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on adwcleaner.exe to run the tool.Click on Delete.Confirm each time with Ok.You will be prompted to restart your computer. A text file will open after the restart.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[S1].txt as well.>>>>>>ESET ONLINEI'd like us to scan your machine with ESET OnlineScanHold down Control and click on this link to open ESET OnlineScan in a new window.Click the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.Double click on the
    icon on your desktop.Check "YES, I accept the Terms of Use."Click the Start button.Accept any security warnings from your browser.Under scan settings, check "Scan Archives" and "Remove found threats" Click Advanced settings and select the following:Scan potentially unwanted applicationsScan for potentially unsafe applicationsEnable An... Read more

    24 more replies
    Answer Match 37.8%

    Was recently exposed to a trojan as identified by my computer savvy son. The pop ups I am receiving while online are labeled http:// desktoprepairpackage .com - Virus Remover2009 - Microsoft Internet Explorer. Offline the pop ups are skfjkhcdsh.com - Cannot find server - Microsoft Internet Explorer. I am running Windows XP Media Center Edition, Service Pack 3. Attached is the zipped file and other information I was asked to send. Any help to resolve this situation would be greatly appreciated as I am currently attending online classes and do not want to spread this to anyone else.



    Moderator's Note:

    The attachment should contain the Ark.txt, not the GMER.exe, and the Attach.txt alone is not enough for the analysis of malware. Please provide the proper set of logs as outlined on NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help page.

    A:Trojan infection

    Hello and welcome to TSF.

    The attachments you've provided do not contain the Ark.txt and the DDS.txt.
    The Attach.txt alone is not enough for the analysis of malware. Please provide the proper set of logs as outlined in our pre-posting process outlined here:

    http://www.techsupportforum.com/f50/...lp-305963.html

    After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

    If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

    1 more replies
    Answer Match 37.8%

    not sure what is wrong with my computer keep getting warnings from my windows defender (windows vista). attached is my HJT log. someone please help.thanks.Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\csrss.exeC:\Windows\system32\wininit.exeC:\Windows\system32\csrss.exeC:\Windows\system32\services.exeC:\Windows\system32\lsass.exeC:\Windows\system32\lsm.exeC:\Windows\system32\winlogon.exeC:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\system32\SLsvc.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\agrsmsvc.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\Window... Read more

    A:trojan infection

    Hello gersheffWelcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. BitTorrent DNA <--This is what most likely got you infected, P2P File Sharing have become the latest avenue of attack by malware writers.Read this pleaseWe have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.Because of this, we changed our malware forum's policy on the use of P2P file sharing programs. If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.We do not ask you to do this without reason.P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly co... Read more

    2 more replies
    Answer Match 37.8%

    I have been looking at the firewall logs to PC-Cillin 2002 software and notice that for the past couple of weeks I have had some Trojan Backdoor blocking that are outbound. Protocol is UDP and description is Backdoor Orfice. This appeared on 12/09, 12/03, 11/25, 11/24, 3times on 11/21 and 11/18 but description was NetBus, I wonder if this means that I have trojans on my computer? I don't have another software firewall because ZoneAlarm wouldn't install with PC-Cillin on the computer. On 11/10, 11/18, and 11/28 TROJ_NASCENE.Y and --- has been found and quartanined. Below is HiJackThis Log.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:35:18 AM, on 12/9/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Progra... Read more

    A:Trojan Infection?

    I did a scan with PC-cillin 2002 but nothing came up.
     

    3 more replies
    Answer Match 37.8%

    Greetings to the BC Team. Once again I'm found in need of your help. (Damn brother of mine and his careless net surfing at 5 in the morning on a Sunday grrr! )Here's the symptoms:Everytime when turning on the computer, it would self reboot, just before the icons would appear in the desktop.After self rebooting, the computer would then start normally, the desktop would appear normally etc, and there was a Microsoft Windows message, saying that the system had recovered from a serious error.Avast resident scanner kept reporting about the file C:\Windows\System32\adir.dll (identified as Win32:Trojan-gen. {Other}).Sygate firewall kept warning of C:Windows\System32\taskdir.exe being connected from a remote machine [81.177.26.27] using post 80.(On a side note, and in regards to firewalls, I noticed afterwards that XP's own firewall was now turned off. My brother told me already that he didn't turn it off manually, so I'm intrigued of how it got turned off then?...)Here's the initial HJT log, previous to having done the preliminar cleaning:Logfile of HijackThis v1.99.1Scan saved at 15:53:26, on 06-02-2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS ... Read more

    A:Trojan Infection

    Hi and welcome.ewwww You are right. You have one heck of a mess and it will take a while to clean.Just to give you an idea what is going on you have I suspect a couple rootkits, several mailer bots, looks like some backdoors, possibly a keylogger or 2, a virus and pretty much everything in-between.Something I suggest you do for your brother.Make him his own account & set it to limited.Then password protect your account and the built-in admin account you see in safe mode.With him running as a limited user whatever he foobars the computer up with will be greatly reduced because unless you are admin...you can't do much. User actions (and the malware if he set something off) has much less effect.I'll be suggesting some programs to install to help reduce these chances even more.If he was looking for cracks/porn you can also tell him if you catch him doin it again...he no longer has access to your computer. I think he'll think 2wice before going against your rules. ;)If only he knew how dangerous these actions are.So many of these sites lead to massive instant infection just "looking".One good thing you have going for you is the fact you can get to safe mode.Sality virus usually trashes that by deleting everything in the registry that lets you load safe mode.If you use this box for sensitive stuff like online banking, credit card stuff, or any other finincial transactions you will need to have your passwords changed for these sites.Also advise you to contact your bank... Read more

    more replies
    Answer Match 37.8%

    Dear BC community,

    I hope I'm posting this in the right place, and that those in the know are able and willing to help me.

    Last week i received an expected e-mail attachment from a trusted source with an unexpected surprise included in the .rar archive, which I in my infinite stupidity doubleclicked.
    Since then, every time I connect a removable storage device, McAfee (Enterprise 8.7i) pops up with a warning that Generic!atr attempted to multiply itself, or at least an autorun.inf file.

    The infection creates the files "install.exe" and "autorun.inf" in the root directory of each connected disk. These files both have the "hidden" attribute enabled. Neither can be removed by regular means, because they are always "in use by another user or application". McAfee manages to remove the autorun.inf file, because it is recognised as mentioned above.

    When I right-click on the "install.exe" file and choose "properties", a shortcut appears in the same dir, with MS-DOS icon, it can be removed normally.

    If I connect a digital camera, both files proliferate to its memory stick, whereupon it has to be removed "unsafely" because its constantly "in use".
    When it is reconnected after doing so, the copy of "install.exe" on the memory stick shows "ewbkb2l0zjw" in the space where software publisher and/or document type are usually displayed in gray text, below the file name.

    So far, I ... Read more

    A:Trojan infection

    Problem has been fixed by the latest version of Spybot - Search & Destroy. Thank you for your time, and good luck.

    1 more replies
    Answer Match 37.8%

    I've got a Trojan.SVChost/fake I can't get rid of. I'm affraid I have infection so bad all I can do is reformat. I really need some help with this. Thank you in advance.

    A:Trojan Infection

    Hello can you run these??RKill....Please download Rkill by Grinler and save it to your desktop.Link 2Link 3Link 4Double-click on the Rkill desktop icon to run the tool.If using Vista, right-click on it and Run As Administrator.A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.If not, delete the file, then download and use the one provided in Link 2.If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.If the tool does not run from any of the links provided, please let me know.You will need to run the application again if rebooting the computer occurs along the way.TDDS Killer Please download TDSSKiller.zip and save it to your desktop.Extract the zip file to your desktop Doubleclick tdsskiller.exe to run it.When it finished press any key to continue.If needed reboot the computer.Let me know if after a reboot you are still having redirects.Next run MBAM (MalwareBytes):NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on m... Read more

    5 more replies
    Answer Match 37.8%

    Hey all. First time poster here. I appreciate the work that you all are doing here and hope that you can lend some of it to me. I am experiencing Trojan (TR/Trash.Gen, TR/Retapu.D.39, prunnet.exe Trojan.Agent, and others) pop-ups from my Antivir and I cannot get rid of them. I have already ran Malwarebytes and repaired once but I am still infected. Thanks in advance. My logs are as follows:HiJackThis:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:29:15 AM, on 1/1/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\rundll32.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files&#... Read more

    A:Trojan Infection

    Here's my DDS log also:

    DDS (Version 1.1.0) - NTFSx86
    Run by Jeremy Van Pelt at 10:45:39.62 on Sun 01/04/2009
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1307 [GMT -6:00]

    AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Razer\Copperhead\razerhid.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Ideazon\ZEngine\Zboard.exe
    C:\Program Files\... Read more

    20 more replies
    Answer Match 37.8%

    Infected by win32 TratBHO (trj)
    -scanned with superanti spyware in safemode
    -can't shake it

    here is the HJT log.
    Thanks in advance to anyone with advice.
    -S
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:55:05 PM, on 1/7/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
    C:\Program Files\Messenger\msmsgs.exe
    ... Read more

    A:Trojan infection

    11 more replies
    Answer Match 37.8%

    My niece bought a Dell laptop a couple of months ago and didn't have the firewall active while searching the internet. I believe that is where her problems started. The computer quit working and started telling her through pop ups that it was infected, give us your banking information and we will fix you up. Fortunately, she didn't give out any information but got ahold of me instead. Anyway, she has McAfee installed and I was able to get it to run and "recover" the computer. Now when it boots up, it has 2 dll errors that pop up: efikuhoxaj.dll and wmspotEn.dll which were quarantined by McAfee. The McAfee log follows along with the other logs requested by your Read this First post at the top of this Forum. When I ran the GMER executable, after saving the log file, the computer BSOD'ed on me and rebooted. The Ark.log file has no information in it. Is this normal or did I do something wrong? Any help you can give is appreciated. Thanks.

    McAfee:

    8/7/2010 4:47:17 PM "C:\USERS\MAV\APPDATA\LOCAL\ENSSJKXFV\SLRPCUSTSSD.EXE" "FakeAlert-FakeSpy!env.a,FakeAlert-FakeSpy!env.a" "1"
    9/21/2010 11:15:52 AM "c:\users\mav\appdata\local\efikuhoxaj.dll" "Hiloti.gen.g,Hiloti.gen.g,Hiloti.gen.g,Hiloti.gen.g" "1"
    9/21/2010 11:16:03 AM "c:\users\mav\appdata\local\efikuhoxaj.dll" "Hiloti.gen.g,Hiloti.gen.g,Hiloti.gen.g,Hiloti.gen.g" "1"
    9/21/2010 11:16:09 AM "c:\users\mav\appdata\... Read more

    A:Trojan infection?

    16 more replies
    Answer Match 37.8%

    Hi there,
    First, I sincerely appreciate the volunteer's time, patience and expertise. Thank you!
    I first posted in Am I Infected (XP). Here is the thread:
    http://www.bleepingcomputer.com/forums/topic397513.html/page__pid__2255619#entry2255619

    As advised, I ran several scans, which are pasted below or attached.

    Here is the history of my problem:

    OS is Windows XP Media Edition
    PC is an HP Media Center desktop

    Problem history (it is a bit of a blur now, so the order of things could be off):
    - Running AVG and McAfee with daily scans.
    - A few days ago my husband tried to download an image off the internet, and both anti-virus programs alerted to a problem.
    - We ran a virus scan and AVG found a generic trojan horse, put it in quarantine.
    - Things seemed to get progressively worse. PC would startup, but icons did not have programs associated with them. We had to use the Associate Program dialogue box to find programs, sometimes two or three times.
    - AVG didn't find anything else.
    - Downloaded Avast, it found about twenty problems, mostly .dll, all in quarantine now.
    - Upon startup, AppleSync window would say CoreFoundation.dll not found.
    - Then nothing seemed to work - no programs would open after startup,including control-alt-delete.
    - Tried dougknox.com Windows XP file extension fix, for .exe files (edits the registry I believe). (I am not implying that was the problem)
    - Only safe mode works now.
    - I tried starting up with Last Known Good Configuration, and th... Read more

    A:Trojan (I think) Infection

    Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

    2 more replies
    Answer Match 37.8%

    Hi... Someone I work with had a trojan on his computer this morning, was operating without AV....

    I downloaded, installed, and ran:
    Spybot S&D
    Ad-AwareSE
    Ewido
    AVG free personal edition
    Firefox
    All the current windows updates

    And HJT. I deleted all I could from the scans above. Can you take a look at the HJT log and see if we're clean? I'll advise him on how not to be here again.

    Thanks!
    Valerie

    Logfile of HijackThis v1.99.1
    Scan saved at 12:47:39 PM, on 6/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\LogMeIn\RaMaint.exe
    C:\Program Files\LogMeIn\LogMeIn.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\LogMeIn\LogMeIn.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\iTun... Read more

    A:Trojan infection

    Hi Valerie

    The log is clean. Are there any other problems? Looks like you did a good job cleaning.

    If you need any advice on keeping clean, just post back and I'll drop in my 'clean speech' for you.

    4 more replies
    Answer Match 37.8%

    I have a Dell Vostro 1500 and as of 4 days ago it was infected with a virus. I have McAffe and it popped up saying I had 38 trojan infections and then the screen went blue and said I was infected with spyware and must fix it immediately but it would not let me open anything.

    Today I turned it back on to try and see if I could fix it even though I know nothing about computers. It started up fine, no blue screen, did a scan and said that I had 4 trojans but they were quarantined . But when I tried to open up any programs it says the application can not be found and then McAfee popped up saying I have a Trojan and to restart my computer which I did. But still none of my programs will open. All of my photos and documents seem to still be there it is just the programs that aren't working. I have NO CLUE what to do! Please help!!!!!
     

    More replies
    Answer Match 37.8%

    Problem File:
    C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSRCAS.DLL

    Type:
    Win32/Virus.WebToolbar.c34

    So I did a scan on my system today with 360 Total Security Malware System Protection and it turned up a critical file. I know nothing about virus/malware programs and all I did was quarantine the file in question till i could get some feedback on how to handle it. Program stated that it was a Trojan and that the file description was MyWebSearch_Search Assistance "whatever that means" with a valid digital sig. Now what do i do after I quarantine it. Do I remove the ext. or do I remove the whole program file stran & then reinstall.

    Would appreciate any advice from some of you experienced tech. savie people out there to help me solve this problem in which I am facing and maybe some 101 on virus program do's and don'ts.

    Your fellow friend in need of a fix to his problematic computer.
    THK3

    More replies
    Answer Match 37.8%

    My PC seems to have a Trojan virus, yesterday whilst gaming it suddenly restarted automatically. When windows had loaded Avg had detected a Trojan. Seems like my Gaming account may have been hacked. I have tried to heal the infection with AVG but after reboot the warning pops up, not sure what to do. Infection is called Trojan Horse Generic10.CPW and located in C:\Windows\system32\LTSMMSG.exe according to AVG. Please help.

    Regards Shichum.
     

    A:Trojan infection

    7 more replies
    Answer Match 37.8%

    My friend asked me to fix her computer for her; I had just built it for her less than a month ago and within a few days of her getting it, it got a virus. v_v;; She complained that this wouldn't work, that wouldn't work, blah, blah, blah. So I decided to take a look at it today, and whattya know, a really nice fat trojan. The cockroach kind, bringing in more.

    At first when I started inspecting it, I noticed that she left all firewalls off [Windows and PCtools] and I wondered why she had them off, only to find out that nothing internet related would work unless they were off. Checked the block lists and nothing really seemed out of the ordinary. I've encountered many viruses before, but none that would do something like that unless there was something else getting screwed up, like clock changing and pop ups saying your system isn't protected, etc. [Though updates was turned off, and I'm sure she didn't do it.]

    I've run a few scans in PCtools so far, each time saying they've found trojans. Each time, I get rid of them. Now I'm confident in PCtools, but I still want to know what you guys think...

    So;

    Internet [and her Steam related games as well actually, none being in the block list] not working unless firewall is off

    A couple times I've encountered an error saying "The requested look up key was not found in any active activation context." Then opens a blank window in IE. But I'm starting to think that's not virus related?...
    That happens when I tr... Read more

    A:Possible trojan infection

    Bumping

    2 more replies
    Answer Match 37.8%

    Norton Anti-Virus has been popping up quarantined items: "Trojan.Malscript!html"

    How do I remove?

    A:Trojan infection

    Download Security Check from HERE, and save it to your Desktop. * Double-click SecurityCheck.exe * Follow the onscreen instructions inside of the black box. * A Notepad document should open automatically called checkup.txt; please post the contents of that document.=============================================================================Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory sizeClick Go and post the result.=============================================================================Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop. * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform quick scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When completed, a log will open in Notepad. * Post the log back here.Be sure to restart the computer.The ... Read more

    9 more replies
    Answer Match 37.8%

    Been fighting this every way I know how, but it appears that I'm in need of help. Have some sort of trojan that avoids most of the scans I've been running. Malwarebytes is unable to find anything, and even a few Rescue CDs (Bit Defender, Kapersky) are unable to remove the infection. I'm only able to boot into safe mode to get any usefulness out of the computer. Thanks for the help, and I've posted a DDS and Hijack this log below. Any opinions to help me get rid of this thing are gold to me.***DDS (Ver_09-10-13.01) - NTFSx86 NETWORK Run by Art at 18:06:18.09 on Tue 10/13/2009Internet Explorer: 7.0.5730.11Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1561 [GMT -4:00]AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\system32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Pidgin\pidgin.exeC:\Documents and Settings\Art\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.comuSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemDefault_Search_URL = hxxp://www.google.com/iemSearch Page = hxxp://www.google.c... Read more

    A:Possible Trojan Infection

    Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

    2 more replies
    Answer Match 37.8%

    Hi there.

    I have been advised by a tech guy at Kaspersky that i have one or more viruses and he sent me instructions on how to fix the problem. His instructions suggested that I use the Kaspersky Virus removal tool (I have done that) and also try Combifix, but after reading the instructions for Combofix, I am unwilling to proceed without help from more knowledgeable people. Please advise how best to proceed.

    Thank you.

    A:Trojan infection

    Hello and welcome to Bleeping Computer. My name is Computer Pro and I will be helping you with your issue.Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. Then bullet the immediate notification bubble. Finally, press submit.Lets take a look with MalwarebytesPlease download Malwarebytes' Anti-Malware from here:MalwarebytesPlease rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exeMBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Double Click zztoy.exe to install the application.* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.* If an update is found, it will download and install the latest version.* Once the program has loaded, select "Perform Full Scan", then click Scan.* The scan may take some time to finish,so please be patient.* When the scan is complete, click OK, then Show Results to view the results.* Make sure that everything is checked, and click Remove Se... Read more

    20 more replies